Xray Reports

Overview

The Xray reports feature enables you to collect and view information on the Xray scanning of your packages and artifacts. Ultimately, it serves as a point-in-time report presenting information in a visual method to help you gain insights on the different scanning results that Xray provides.

You can define what information you would like to see in each report by setting a scope and advanced filters to help you narrow down the data you would like to analyze.

You can generate, view, and export reports to a PDF, JSON, or CSV file through the JFrog Platform or REST API. Each file format will provide you with different capabilities depending on your needs. These files can be further used by applications and tools that your organization uses to gain further analytics.

Important Details

In order to use this feature, you need the following:

Xray versions 3.8 and above.
Artifactory version 7.7 and above.
Manage Reports role permissions set in Users and Groups.

Page Contents

Report Types

The report feature offers different report types depending on the data you would like to view. Currently these report types are available:

Vulnerabilities Report
License Due Diligence Report
Violations Report
Operational Risk Report

Vulnerabilities Report

The Vulnerabilities report provides information about vulnerabilities in your artifacts, builds, and release bundles. In addition to the information provided in the JFrog Platform on each of these entities, the report gives you a wider range of information such as vulnerabilities in multiple repositories, builds and release bundles. Criteria such as vulnerable component, CVE, cvss score, and severity are available in the report.You can define the information you want to see by defining a scope and advanced filters that provide you with a flexible vulnerabilities report, that is available both through the JFrog Platform and REST API.

Due Diligence Licenses Report

The License Due Diligence report provides you with a list of components and artifacts and their relevant licenses. This enables you to review and verify that the components and artifacts comply with the license requirements. This report provides due diligence license related information on each component for a selected scope. Due diligence license information includes information such as unknown licenses and unrecognized licenses found in your components. You can define the information you want to see by defining a scope and advanced filters that provide you with a flexible due diligence report, that is available both through the JFrog Platform and REST API.

Violations Report

The Violations report requires Artifactory version 7.10.6 and above.

The Violations report provides you with information on security and license violations for each component in the selected scope. Violations information includes information such as type of violation, impacted artifacts, and severity. You can define the information you want to see by defining a scope and advanced filters that provide you with a flexible violations report, that is available both through the JFrog Platform and REST API.

Operational Risk Report

The Violations report requires Artifactory version and above.

The Operational Risk report provides you with additional data on OSS components that will help you gain insights into the risk level of the components in use, such as; EOL, Version Age, Number of New Versions, and so on. For more information, see Components Operational Risk. You can define the information you want to see by defining a scope and advanced filters that provide you with a flexible violations report, that is available both through the JFrog Platform and REST API.

A report is configured by default to a limit of 100,000 rows. This limit is configurable by setting the rowsLimit parameter in the Xray system YAML file.

Creating a Report

Requires Permissions

To create a report, you need the Manage Reports role permissions set in Users and Groups.

Step 1 Creating a New Report

Navigate to Application module | Security & Compliance | Reports and select Create New.

Step 2 Selecting a Scope

Select a scope to generate the list for that particular scope. You can only select one scope at a time.

Vulnerabilities

Due Diligence Licenses

Violations

Starting from Xray 3.27.2 and above with Artifactory version 7.21.3 and above, if you are using Projects, you can generate a Global Report on the Projects scope for all report types:

Repositories Scope

Select the repositories you would like to view information for in the report. You can narrow select specific repositories and include/exclude patterns to filter out specific repositories. In each field, you can specify a list of Ant-like patterns to filter in and filter out artifact queries. Filtering works by subtracting the excluded patterns (default is none) from the included patterns (default is all).

Example:

Consider that the Include Patterns and Exclude Patterns for a repository are as follows:

Include Patterns: org/apache/**,com/acme/**
Exclude Patterns: com/acme/exp-project/**

In this case, the repository is searched for org/apache/maven/parent/1/1.pom and com/acme/project-x/core/1.0/nit-1.0.jar but not for com/acme/exp-project/core/1.1/san-1.1.jar because com/acme/exp-project/** is specified as an Exclude pattern.

Builds Scope

Select the build you would like to view information for in the report. You can select builds by name or by pattern.

Filter your builds selection by patterns, or select to view only the latest. You can also select the number of latest build versions. The default is 1 and you can set to any number to display the latest build versions.

Release Bundles Scope

Select the release bundles you would like to view information for in the report. The selection of the release bundles scope is the same as the builds scope selection.

Projects Scope

For Xray version 3.27.2 and above with Artifactory version 7.21.2 and above. Only for Enterprise and Enterprise+ subscription types with Projects.

For Global Reports when in the context of All in Projects, you can select the projects you would like to view information for in the report. You can select projects by name or by project keys pattern.

Step 3 Using Advanced Filters

Use advanced filters to narrow down the scope of the data you would like to see in the report.

Vulnerabilities Report Advanced Filters
Due Diligence Report Advanced Filters
Violations Report Advanced Filters
Operational Risk Report Advanced Filters

Vulnerabilities Advanced Filters

To filter out the vulnerabilities information you would like to see in the report, you can set advanced filters. Here are a few examples of how you can filter data:

Example 1: Filter by a specific CVE that was scanned on a particular date.

Example 2: Filter by CVSS2 Score, on a specific scan date, and contains a fix.

Example 3: Filter by a specific impacted artifact, published on a particular date and scan date.

Example 4: Filter by vulnerable component, and severity.

Due Diligence Licenses Advanced Filters

To filter out the licenses information you would like to see in the report, you can set advanced filters. Here are a few examples of how you can filter data:

Example 1: Filter by licenses in specific components.

Example 2: Filter by licenses, in specific components and artifacts that were scanned within a time range.

Example 3: Filter for licenses by using a pattern.

Example 4: Filter licenses in components

Unknown Licenses: View licenses in the report that are either known or unknown in Xray components. Unknown displays the components that Xray could not discover any licenses for.Found but Unrecognized: View licenses in the report that are either recognized or unrecgonzied. Unrecognized displays the components that Xray found licenses for, but these licenses are not Xray recognized licenses.

Violations Advanced Filters

To filter out the violations information you would like to see in the report, you can set advanced filters. Here are a few examples of how you can filter data:

Example 1: License and Security ( View licenses and security violations in specific watches and policies, unknown licenses and security violations that are severity High)

Example 2: Security Violations (View security violations on a specific component, with a specific CVSS2 score range)

Example 3: Licenses Violations (View license violations in a specific watch, with high severity, and only unknown licenses)

Operational Risk Advanced Filters

To filter out the Operational Risk information you would like to see in the report, you can set advanced filters.

Step 4 Generating a Report

After defining the scope and filters you can generate the report. The report will run in an asynchronous mode, and will be added to the report list page. New reports will be displayed at the top of the list.

Managing the Reports List and Performing Actions on Reports

After you generate a report, it will appear in the reports list. Each report in the list will have the following information:

Name	Description
Report Name	The reports given name
Author	The author that created the report.
Start Time	The time when the report started running.
Status	The status of the report: Running Pending Completed Aborted Failed Abandoned
Progress	Progress of the report Artifacts reported so far Total number of artifacts
Report Length	The number of rows in a report.

You can perform several actions to help you manage the generated reports. In the reports list, click on the Actions drop-down to view all the possible actions, such as:

Viewing a Report
Viewing a Reports Details
Exporting a Report
Cloning a Report
Deleting a Report

Viewing a Report

After a report completes, you can select to view it in the UI. You can export the report to a PDF, JSON, and CVE.

Vulnerabilities Report Example Results

Due Diligence Licenses Report Example Results

Violations Report Example Results

Operational Risk Report Example Results

Viewing Report Details

Displays the details of the report, such as report type, the scope, and filter criteria.

Vulnerabilities Report Details Example

Due Diligence Licenses Report Details Example

Violations Report Details Example

Operational Risk Report Details Example

Exporting a Report

You can export reports to a PDF, JSON, or CSV file. Each file format will provide you with different capabilities depending on your needs. These files can be further used by applications and tools that your organization uses to gain further analytics. Below are some examples of each file format.

PDF

CSV

JSON

{ "total_rows" : 68,
  "rows" : [
{
	"cves": [],
	"summary": "nir4",
	"severity": "High",
	"vulnerable_component": "rubygems://rubygems-update:2.0.6",
	"impacted_artifact": "deb://all:jfrog-artifactory-pro:7.2.0~m027",
	"path": "nir-debian/pool/artifactory-pro-7.2.0-m027.deb",
	"fixed_versions": [],
	"published": "2020-05-26T15:06:05+03:00",
	"issue_id": "CustomIssue_69Q3m2hFXWCFHr0T",
	"package_type": "rubygems",
	"provider": "Custom",
	"description": "s",
	"references": []
	}
,{
	"cves": [
	{
	"cve": "CVE-2020-11612",
	"cvss_v2_score": 7.5,
	"cvss_v2_vector": "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P"
	}
	],
	"cvss2_max_score": 7.5,
	"summary": "The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.",
	"severity": "High",
	"vulnerable_component": "gav://io.netty:netty-codec:4.1.38.Final",
	"impacted_artifact": "deb://all:jfrog-artifactory-pro:7.2.0~m027",
	"path": "nir-debian/pool/artifactory-pro-7.2.0-m027.deb",
	"fixed_versions": [
	"4.1.46.Final"
	],
	"published": "2020-04-12T19:41:55+03:00",
	"issue_id": "XRAY-96164",
	"package_type": "maven",

Cloning a Report

Create a clone of an existing report to reuse a report and its defined settings to save you time instead of recreating reports that you use often.

REST API Support

To use REST API for generating and exporting reports, see Reports API.

Content

Space Tools